From a752dbe605f122611673803eb1674ef5d97f110f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 18:46:17 +0200 Subject: [PATCH] fix(profile): fixes for issues raised by newly enabled tests. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/apt/dpkg-script-linux | 12 +++++++++++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/network/netplan-generate | 1 + apparmor.d/profiles-s-z/ucf | 12 ++---------- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 716cd1dc8..66131c6e7 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, + @{bin}/which{,.debianutils} ix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index d6a8db473..24c6c74df 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -19,11 +19,14 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, @{bin}/dpkg-trigger Px, @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/dpkg-maintscript-helper Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, @@ -36,6 +39,13 @@ profile dpkg-script-linux @{exec_path} { @{lib}/linux/triggers/* w, @{lib}/modules/*/.fresh-install w, + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 44e4790c4..5743ab904 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -80,6 +80,7 @@ profile dpkg-scripts @{exec_path} { /tmp/tmp.@{rand10} rw, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, profile bus { include diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 64f8399e1..74ed20aaf 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/netplan/generate profile netplan-generate @{exec_path} flags=(attach_disconnected) { include + include include capability chown, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 3c3374d85..9e459f261 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/ucf profile ucf @{exec_path} { include + include include include @@ -17,11 +18,11 @@ profile ucf @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cp rix, @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, @{bin}/getopt rix, @{bin}/id rix, @{bin}/md5sum rix, @@ -39,8 +40,6 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend Cx -> debconf, - # For md5sum /usr/share/** r, @@ -57,13 +56,6 @@ profile ucf @{exec_path} { deny capability sys_admin, # optional: no audit - profile debconf { - include - include - - include if exists - } - include if exists }